Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5147

NoSQL operations should not be vulnerable to injection attacks

    Details

    • Message:
      Change this code to not construct database queries directly from user-controlled data.
    • Highlighting:
      Hide

      "[varname]" is tainted (assignments and parameters)
      this argument is tainted (method invocations)
      the returned value is tainted (returns & method invocations results)

      Show
      " [varname] " is tainted (assignments and parameters) this argument is tainted (method invocations) the returned value is tainted (returns & method invocations results)
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C#, Java, PHP
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Level:
      Abstract Interpretation
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-943
    • OWASP:
      A1
    • SANS Top 25:
      Insecure Interaction Between Components

      Description

      User provided data such as URL parameters, POST body-content should always be considered untrusted and tainted. Applications performing NoSQL operations based on tainted data could be exploited in a way similar to SQL Injection, where an attacker could inject NoSQL objects to access sensitive information or compromise data integrity.

      The problem could be mitigated by ensuring the type of the input is a String or sanitizing the user provided data.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5158 Language-Specification Active Unassigned
          2.
          C# RSPEC-5159 Language-Specification Active Unassigned
          3.
          PHP RSPEC-5160 Language-Specification Active Unassigned
          4.
          JavaScript RSPEC-6078 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                lars.svensson Lars Svensson (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: